Hackers are demanding $14 million in Bitcoin to unlock systems for 110 nursing homes across the United States, sparking a discussion on the ethical dilemma of ransomware payouts. Should VCPI pay the ransom or not? How can we learn from this experience to better protect our healthcare facilities?
“The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.” These are the two phrases that sent shivers through my body.
VCPI, a Wisconsin based IT firm that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States, was the target of a Ryuk ransomware attack this week. The initial infection, which may have happened as early as September 2018, was likely due to a phishing email with an attachment containing malware such as Trickbot or Emotet, which lay the foundation for the Ryuk ransomware infection. The cyber criminals are demanding $14 million worth of bitcoin – which VCPI cannot afford to pay.
There have been conversations in the cybersecurity community about the ethical dilemma around paying ransom. The FBI discourages paying for several reasons: some victims are never given decryption keys after paying the ransom, some victims who pay are targeted again, and even after paying the original ransom, some victims are demanded to pay extra.
However, there really is no black and white answer to this. Every situation is different. In VCPI’s case, the limited access to historical patient records can result in loss of life, let alone the closure of nursing homes. In fact, Vanderbilt University’s Owen Graduate School of Management recently published a study that showed that up to 36 additional deaths per 10,000 heart attacks occurred annually at hospitals that were breached.
So, should VCPI consider paying ransom? Absolutely. Does this incentivize hackers to ruin more organizations? Absolutely. But in the short term, the impact on numerous businesses and human lives outweighs cyber criminals being incentivized.
The solution – or really, mitigation – is to make sure that businesses like VCPI and nursing homes are as secure as they can be. SMBs are an easy mark for cybercriminals today, so we need to make it harder to target them. One of the first steps should be employee training to reduce the risks of human error. In this instance, the initial infection was likely due to a phishing attack. These can be preventable if your employees are well-educated and enrolled in a cybersecurity awareness training program.
Unfortunately, cyber attacks will happen, but the impact can be drastically mitigated. Regulation, which drove the adoption of fire code and fire insurance, should also drive the adoption of cybersecurity and cyber insurance, which provides a safety net that covers businesses in the event of a computer attack or cyber extortion such as ransomware. I do hope that VCPI and the impacted nursing homes have cyber insurance right now, and that they survive this attack to come out with stronger and more robust cybersecurity measures.